My organization is working on an ELK implementation project. One area we've experienced difficulties is gathering Windows EventLog data. In the community, the current best option appears to be using a local syslog app like nxlog to forward EventLog to Logstash.
Our own current solution is utilizing custom code written in C utilizing a few open source packages to execute remote WMI queries against a list of Windows hosts to pull this data back. It periodically runs (every 5 minutes currently). We then send it to Logstash. We like this approach as it doesn't require a heavy client/service to be deployed and configured on each Windows host. We simply maintain a list of Windows hosts. Of course, it has a bit of latency built-in (5 minute run interval). This process currently runs on Ubuntu 14 (yes, a Linux box is acting as our Windows EventLog collector).
I'm curious if this sounds like a candidate for beats implementation. I haven't explored what it would take to normalize and open-source our code, or adapt it for beats use but I'd love to talk to someone if there's interest.
We originally prototyped with just 25 hosts but have now scaled up to 250-300 and once our ELK stack is a bit more mature (currently demo/prototype) we'll be running this against 1,500-1,800 Windows hosts.